Author Posts

May 8, 2018 at 1:42 pm


I have a certificate asset in Azure Automation account. I also have a Windows Server 2016 on-premises machine on-boarded to Azure Automation DSC. My goal is to install the certificate into the LOCAL_MACHINE\My certificate store on that server and grant a certain domain account access to the private key.

I found the CertificateDsc resource on GitHub, but it does not seem to suit the bill. Am I missing anything? This seems to be a pretty mainstream configuration task, so there must be such a resource already, I just cannot find it.

Any help is much appreciated. Thank you.

May 8, 2018 at 2:17 pm

Potentially? I've not done this before, but if you're using Azure Automation DSC, You might be able to leverage the Get-AutomationCertificate cmdlet. Much like the Get-AutomationPSCredential cmdlet, you should be able to call it in your config. But it looks like it grabs the entire certificate object, so you might have to leverage the xScript resource or create a custom resource to import the object instead of feeding it a path and other info.

May 8, 2018 at 3:40 pm

I am aware of the possibility to create a custom resource. But I would like to concentrate on configuring the servers, rather than developing (and hence spending time to debug and fix bugs) resources.

Therefore, I am checking if I am missing something that already exists, because I cannot imagine configuring a web server without configuring SSL certificates. Pretty basic stuff.

Now, suppose I use Get-AutomationCertificate to get the certificate object. What is next? It is unclear how to proceed from there to installing it on the machine.

May 10, 2018 at 1:25 pm

My current solution is as follows:

  1. Place the PFX file in an Azure File Storage and obtain the SAS token.
  2. Add the credentials to the PFX file as an Azure Automation Asset
  3. Use the following DSC configuration to ensure the certificate is installed:
    Configuration QAWebServer
        Import-DscResource -ModuleName xPSDesiredStateConfiguration
        Import-DscResource -ModuleName CertificateDsc
        $MyServerCertPfxCred = Get-AutomationPSCredential -Name MyServerCert
        node localhost
            xRemoteFile GetMyServerCertPfx
                Uri             = "https://******"
                DestinationPath = "$env:TEMP\MyServerCert.pfx"
            PfxImport ImportMyServerCertPfx
                Ensure     = "Present"
                DependsOn  = "[xRemoteFile]GetMyServerCertPfx"
                Thumbprint = "***"
                Path       = "$env:TEMP\MyServerCert.pfx"
                Location   = "LocalMachine"
                Store      = "My"
                Credential = $MyServerCertPfxCred

There is, however, a problem – the certificate is left on the target machine. I would like to avoid it.

One idea could be instead of copying the certificate to share the Azure File Storage container having the PFX file and install it from the share, but then the share remains permanently mounted on the target machine – essentially the same problem.

I am looking for a way to ensure the certificate is present without leaving a trace.

I thought I could add a File resource with Ensure = "Absent" and make it depend on the PfxImport resource, but then how will it work? Will it constantly download the certificate, ensure it is installed (it would be) and then delete it again? Doing this every 30 minutes? Is this the right approach?

May 10, 2018 at 9:18 pm

You can compile Azure Automation Variable into DSC and provide to your machine and perform import of that blob as part of DSC. I'm doing something similar with swarm template in Azure which requires SSL certs to be present on client ( and here is part where this certificate is being extracted into file system, so on last step instead of saving it into file system you will just impport it into certificate store.